Determining the Regulatory Framework for Mobile Apps

This is a sponsored message.

It seems as if there’s an app for everything, and mobile apps are becoming more common in clinical trials. Using an app in a study can be tricky, though, especially when it comes to regulatory compliance.  

To determine the appropriate regulatory framework for an app used in a research project, there are many aspects to consider, like: 

  • Is the app itself the object of the research? Is it being evaluated, or is it used for another reason, such as logistical support or data collection?  
  • What data does it collect, process, and share? Would the Health Insurance Portability and Accountability Act (HIPAA) apply? 
  • How do local regulatory requirements apply to the app and its usage? Where is the app being used? Where is the data being processed and stored?  

Mobile apps used in research may be subject to a variety of federal regulations and policies, such as the Common Rule (45 CFR 46), FDA regulations (like 21 CFR 11), or the HIPAA Privacy Rule. Additionally, some federal rules may apply more broadly, such as some Federal Trade Commission (FTC) rules and the Children’s Online Privacy Protection Act (COPPA) 

Mobile apps are also subject to international and state laws regarding data collection and privacy protections. State and international laws can vary widely – for example, New York and California have more extensive privacy protections, and the EU General Data Protection Regulation (GDPR) also has specific requirements.  

The FTC (in conjunction with the U.S. Department of Health and Human Services (HHS), the Office of the National Coordinator for Health Information Technology, the Office for Civil Rights (OCR), and the U.S. FDA) has developed an interactive tool to help researchers determine which laws apply to mobile health applications. The European Union Agency for Network and Information Security (ENISA) also offers guidance on privacy and data protection in mobile applications.  

In addition to these laws, many IRBs and institutions have their own guidelines and requirements surrounding the use of mobile apps in research.  

Let’s take a look at some of the more common regulatory frameworks for human subjects research involving mobile apps.  

DHHS/Common Rule 

Research activities including the use of mobile applications may be subject to the Common Rule if the activities meet the regulatory definitions of both “research” and “human subject.”  

The Common Rule has no research-related, specific regulatory requirements for mobile apps in general, except for ensuring mobile app utilization adheres to the 45 CFR 46.111 criteria for IRB approval.  

If research is also subject to FDA regulations, these rules are in addition to FDA’s requirements.  


The FDA regulates mobile applications meeting the specific definitions of mobile medical apps, also sometimes known as mobile health apps or mHealth apps. “Mobile medical apps,” according to the FDA, “are medical devices that are mobile apps, that incorporate device software functionality that meet the definition of a device in section 201(h)(1) of the Food, Drug & Cosmetic Act, and are an accessory to a regulated medical device or transform a mobile platform into a regulated medical device.”  

FDA defines a medical device as “an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is: 

  • Recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them, 
  • Intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or 
  • Intended to affect the structure or any function of the human body or other animals, and which does not achieve any of its primary intended purposes through chemical action within or on the human body or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes.”  

The intended use of a mobile app determines whether it meets the definition of a regulated medical device. As stated in 21 CFR 801.4, “intended use” may be demonstrated by labeling claims, advertising materials, or a manufacturer’s oral or written statements.  

When the intended use of a mobile app meets the regulatory definition above, the mobile app is a medical device under section 201(h) of the Food, Drug, and Cosmetics (FD&C) Act if it is not an excluded software function (as described in section 520(o) of the Act).  

One example FDA provides of an app regulated as a medical device is a glucose monitoring app that controls infusion pumps. (Appendix C of the FDA’s Policy for Device Software Functions and Mobile Medical Applications provides additional information).  

The agency also provides the resource Examples of Software Functions that are NOT Medical Devices, as well as examples of software functions that do appear to meet the definition of a device for which it will exercise enforcement discretion. Apps for which FDA may exercise enforcement discretion includes those meant to provide access to medical records or provide information, education, tracking, or guidance/support related to a patient’s treatment plan.  


Consumer-facing products and entities must comply with FTC regulations governing unfair or deceptive labeling and advertising practices. The FTC also provides guidance on mobile apps. 


Mobile apps used by HIPAA-defined covered entities or their business associates that store, process, or transmit protected health fall under the requirements of HIPAA (overseen by OCR). 

Evaluate the App 

Whether you’re building an app from scratch or using an off-the-shelf product, it’s important to closely evaluate the app to understand potential regulatory impacts. Such an evaluation can also inform instructions for subjects and staff, tech support plans, budgets, and much more.  

The use of apps in research will only continue to grow. Researchers should work to understand all the implications of using such technology to help ensure adequate subject safety and data integrity.

For more on mobile apps in research, including IRB review needs and additional resources, download our white paper Data on the Go: Mobile Application Considerations for Clinical Trials and Beyond. 

Access the White Paper